Categories

Meta

IPsec server in OpenWrt

I have configured a IPsec server in my OpenWrt router to use it from my Android device when I am connected to an untrusted network. Previously I’ve used OpenVPN, but it drains too much battery, so I want to test if this solution, which is integrated in Android, works better.

I have done the authentication only with certificates and configured the tunnel dual stack. Android doesn’t seem to support getting two IPs, IPv4 and IPv6, but probably with other clients you can get a dual stack IPsec tunnel, I haven’t tested this.

The file androidCert.p12 has to be copied to your SD card in your android device, and imported into the certificate store, in Settings -> Security -> Import Certificate.

Enable and start the service:

# /etc/init.d/ipsec enable
# /etc/init.d/ipsec start

Now we have the IKE daemon running.

As IPsec doesn’t create a virtual interface like other VPN solutions, we will see packets from source IPs 192.168.12.0/24 (as configured in /etc/ipsec.conf) arriving from our wan interface.

To fix this, I have created a new zone called “vpn”, the fastest way to do this is from the web interface. Create it and allow forwarding to the desired zones.

The zones configuration must be something similar to this:

Luci Firewall zones

As the zone has no interfaces associated with it, we need to add custom iptables rules to assign the correct packets to our vpn zone. Add this to /etc/firewall.user, so everytime the firewall reloads, it will execute our script. It’s inspired in the script which can be found in the Wiki.

For Android, I recommend the StrogSwan app. It’s very easy to set up, and doesn’t need root, it uses the VPN services in Android 4.x.

Just load the certificate in Android settings, like explained before, and create a new profile of type “IKEv2 Certificate”, enter your gateway host, and you are done. All the network traffic will pass through the new VPN.